Nathanule's Write-ups
  • Nathanule's Write-Ups
  • Cheat sheets and Notes
    • Windows Privilege escalation
      • Communication with processes
      • Windows User Privileges
        • Windows Privilege Overview
        • SeImpersonate and SeAssignPrimaryToken
        • SeDebugPrivilege
    • SMTP
    • Directory brute-forcing (Fuzzing web directories)
    • Fuzzing Subdomains and Virtual hosts
    • Pivoting, Tunneling, and Port Forwarding
      • Pivoting around obstacles
      • Branching out our tunnels
      • Cheat sheets
    • Transferring Files
    • Powershell Notes
    • Active Directory Notes/Cheat sheets
      • Initial Enumeration
        • External Recon
          • Hunting E-mail addresses, usernames, credentials
      • External Information Gathering
  • Walk-throughs
    • HTB Windows Machines
      • APT
      • Mantis HTB
      • Reel HTB
      • Flight HTB
      • Visual HTB
      • Worker HTB
      • Fuse HTB
      • Buff HTB
      • Granny HTB
      • Grandpa HTB
      • Optimum HTB
      • Legacy
      • Jerry HTB
      • Silo HTB
      • Sizzle HTB
      • Tally HTB
      • Bart HTB
      • Jeeves HTB
    • HTB Linux Machines
      • Zipping HTB
      • devvortex HTB
      • Magic HTB
      • Bizness HTB
      • Sua
      • Mango HTB
      • Haircut HTB
      • Postman HTB
      • Friendzoned HTB
      • Mirai HTB
      • Networked HTB
      • Popcorn HTB
      • Posion HTB
      • Sunday HTB
      • SwagShop HTB
      • Irked HTB
      • Academy
    • HTB Endgames
      • Hades
      • Xen
      • P.O.O
      • Hololive THM
    • WPE Capstones
      • Querier HTB
      • Bastion HTB
      • Bastard HTB
      • Arctic HTB
      • Alfred THM
    • LPE Capstones
      • Brainpan 1 THM
      • ConvertMyVideo THM
      • Tomghost THM
      • Lazy Admin THM
      • Anonymous THM
    • Mobile
      • APKey
    • Snap-labs (Entry Level Pentesting)
    • Hardware
      • The needle
      • Debugging Interface
    • ICS and SCADA
      • Watersnake
    • Blockchain
      • Survival of the Fittest
Powered by GitBook
On this page
  1. Cheat sheets and Notes
  2. Windows Privilege escalation

Communication with processes

PreviousWindows Privilege escalationNextWindows User Privileges

Last updated 1 year ago

Access Tokens

  • access tokens are often used to describe the security context of a process or thread

  • Tokens often include information in relation to the user account identity and privileges relating to the specific processes or thread

  • when a user authenticates to a system, their password is verified against a security database, and if properly authenticated, they will be assigned an access token

  • Every time a user interacts with a process, a copy of this token will be presented to determine their privilege level

Enumerating network services

  • Most common way of interacting with processes is through network sockets (DNS, HTTP, SMB, etc)

  • The netstat command will display any active UDP or TCP connection there giving us a better idea of what services are listening on which ports both locally or internally

Displaying Active Network connections

netstat -ano

  • the main thing we want to look within Active Network Connections are entries listening on the local loop back address

127.0.0.1
::1

  • examples of priv esc via running processes

Named Pipes

The other way processes communicate with each other is through Named Pipes

What are named pipes?

  • Pipes are essentially files stored in memory that get cleared out after being read.

  • Pipes are used for communication between two applications or processes using shared memory

example of a named pipe

\\.pipename\\examplepipeserver

  • Windows systems uses a client-server implementation for pipe communication, In this type of implementation, the process that creates a named pipe is the server, and the process communicating with the named server is the client.

  • Named pipes can communicate using half-duplex or a one way channel

  • Every connection to a named pipe server results in the creation of a new named pipe. These all share the same pipe name but communicate using different data buffers

Listing names pipes with pipelist (cmd)

pipelist.exe /accepteula

Listing named pipes in powershell 

 gci \\.\pipe\

  • After obtaining a listing of named pipes, we can utilize Accesschk to enumerate permissions assigned to a specific named pipe by reviewing the Discretionary Access List (DACL)

  • The DACL will show us who has the permissions to modify, write, read, execute a resource

Lets review the LSASS process, we can also review the DACLs of all named pipes using the command

.\accesschk.exe /accepteula \pipe\.

Reviewing LSASS Named Pipe permissions

.\accesschk.exe /accepteula \pipe\lsass -v

results

\\.\Pipe\lsass
  Untrusted Mandatory Level [No-Write-Up]
  RW Everyone
        FILE_ADD_FILE
        FILE_LIST_DIRECTORY
        FILE_READ_ATTRIBUTES
        FILE_READ_DATA
        FILE_READ_EA
        FILE_WRITE_ATTRIBUTES
        FILE_WRITE_DATA
        FILE_WRITE_EA
        SYNCHRONIZE
        READ_CONTROL
  RW NT AUTHORITY\ANONYMOUS LOGON
        FILE_ADD_FILE
        FILE_LIST_DIRECTORY
        FILE_READ_ATTRIBUTES
        FILE_READ_DATA
        FILE_READ_EA
        FILE_WRITE_ATTRIBUTES
        FILE_WRITE_DATA
        FILE_WRITE_EA
        SYNCHRONIZE
        READ_CONTROL
  RW APPLICATION PACKAGE AUTHORITY\Your Windows credentials
        FILE_ADD_FILE
        FILE_LIST_DIRECTORY
        FILE_READ_ATTRIBUTES
        FILE_READ_DATA
        FILE_READ_EA
        FILE_WRITE_ATTRIBUTES
        FILE_WRITE_DATA
        FILE_WRITE_EA
        SYNCHRONIZE
        READ_CONTROL
  RW BUILTIN\Administrators
        FILE_ALL_ACCESS

  • we can see from the output that only administrators have full access to the LSASS process

Named Pipes Attack example

searching for any named pipe that allows write access, we can use accesschk for this

 .\accesschk.exe -w \pipe\* -v

we can see someting interesting in the output

\\.\Pipe\WindscribeService
  Medium Mandatory Level (Default) [No-Write-Up]
  RW Everyone
  RW BUILTIN\Administrators
        FILE_ALL_ACCESS

  • we can see the group Everyone has read or write access over this pipe

  • From here we could leverage these lax permissions to escalate privileges on the host to SYSTEM

Now I did have to download the accesschk.exe tool from we can download the whole sysinternal suit

https://download.sysinternals.com/files/SysinternalsSuite.zip
LogoSplunk Universal Forwarder HijackingMedium
LogoSplunk Universal Forwarder Hijacking 2: SplunkWhisperer2 | Clément Notin | Blog